Royal Bank of Scotland fixes data-stealing flaw

**Glaswegian** · 05-21-2008, 10:47 AM

The Royal Bank of Scotland (RBS) has fixed a cross-site scripting flaw in its Worldpay Internet payments service that could have allowed attackers to steal users' credit card details, according to a report.

Adam Grit discovered the cross-site scripting (XSS) flaw in a secure payment page of the Worldpay site, RBS' Internet payments service, according to a report from IT industry journal The Register.

The flaw allowed third parties to inject content into the page, as Grit demonstrated with a pop-up window reading "Is it safe?"

An attacker could have taken advantage of the flaw to inject a false login box and steal user credentials, Grit said.

http://www.techworld.com/security/ne...&NewsID=101560

**Kalim** · 05-22-2008, 07:53 PM

Wow, thats such a massive flaw!

They can even steal all your data real-time using that.

I get so many scam emails from RBS its very hard to figure out which one's real nowadays.

05-21-2008, 10:47 AM	#1 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 21,371 OS: Win XP Pro SP3 My System Blog Entries: 10	Royal Bank of Scotland fixes data-stealing flaw The Royal Bank of Scotland (RBS) has fixed a cross-site scripting flaw in its Worldpay Internet payments service that could have allowed attackers to steal users' credit card details, according to a report. Adam Grit discovered the cross-site scripting (XSS) flaw in a secure payment page of the Worldpay site, RBS' Internet payments service, according to a report from IT industry journal The Register. The flaw allowed third parties to inject content into the page, as Grit demonstrated with a pop-up window reading "Is it safe?" An attacker could have taken advantage of the flaw to inject a false login box and steal user credentials, Grit said. http://www.techworld.com/security/ne...&NewsID=101560 __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. Ad-Aware::SpywareBlaster::SpyBot::SpywareGuard::SnoopFree::AVG Free::HOSTS File::HijackThis::Donate::5 Steps For Infected PCs

05-22-2008, 07:53 PM	#2 (permalink)
Kalim Roaming To Help Join Date: Nov 2006 Posts: 5,609 OS: Many	Re: Royal Bank of Scotland fixes data-stealing flaw Wow, thats such a massive flaw! They can even steal all your data real-time using that. I get so many scam emails from RBS its very hard to figure out which one's real nowadays.